Letters to Medicare Enrollees Pose Potential HIPAA Violation
Last week we learned that Humana — and possibly some other Medicare plans — inappropriately used enrollees’ personal data to send them letters saying they could lose their benefits and services due to the impending health care reform legislation in Congress. The Centers for Medicare and Medicaid Services (CMS) called on all plans serving Medicare beneficiaries to stop such communications and launched an investigation into whether Humana’s use of the personal data violated any federal laws. Some reacted by accusing CMS of trying to squelch the “free speech” of private health plans – but whether Medicare has the right to place some limits on communications from its contractor plans is only one of the issues implicated by this activity. Humana — in using enrollees’ names and addresses to facilitate communications — arguably committed a violation of the HIPAA Privacy Rule. The Privacy Rule sets forth very specific rules governing how health plans (and other health care entities) access, use and disclose an individual’s protected health information (PHI), which includes mere demographic data like names and addresses. We do not see how the Privacy Rule permits plans to use enrollee personal data for this purpose. The Privacy Rule in general requires health plans to be good stewards of enrollees’ personal data and allows them to use information to the extent needed to effectively manage health coverage. But these fairly liberal rules should not be construed as a blank check on the use of enrollee data. Vital to enrollees’ willingness to share personal data with health plans is the enrollees’ ability to trust that the information is protected, kept confidential, and used only for legitimate purposes. The misuse by Humana and possibly others of enrollee data significantly undermines this trust. CMS’s call to plans last week and its current investigation of Humana are a good start. However, the Office of Civil Rights (OCR) within the U.S. Department of Health and Human Services (HHS) is officially authorized to enforce the HIPAA Privacy Rule, and we have yet to hear a reaction from them. After years of lax enforcement of the HIPAA rules the public has the right to expect better. CDT calls on OCR (and HHS) to aggressively enforce HIPAA rules and make clear that enrollee personal data cannot be used to achieve an entity’s political goals.